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Overview 




By far, the most important federal statute impacting student records is the Family Educational Rights 
and Privacy Act (FERPA), enacted in 1974 to ensure student/parent access to education records and to 
limit disclosures to others for unauthorized purposes. The FERPA regulations are found in Title 34 of 
the Code of Federal Regulations, Part 99 (34 CFR 99). The FERPA Regulations are important because 
they set forth the basic federal records retention and destruction requirements. The records of students 
with disabilities will also be subject to the Individuals with Disabilities Education Act (IDEA) and 
Section 504 of the Rehabilitation Act and regulations. Finally, but certainly not least, is school district 
policy and procedure. Most schools will have their own requirements setting forth access procedures, 
copying fees, form of records, retention, and destruction schedules. 



Definitions — Records/Confidentiality 



Directory Information: information contained in an education record of a student that would not 
generally be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to, 
the student’s name, address, telephone listing, date and place of birth, major field of study, participation 
in officially recognized activities and sports, weight and height of members of athletic teams, dates of 
attendance, degrees and awards received, and the most recent previous educational agency or institution 
attended. 

Disclosure: to permit access to or the release, transfer, or other communication of education records — or 
the personally identifiable information contained in those records — to any party, by any means, 
including oral, written, or electronic means. 

Education Records: those records that are directly related to a student, contain personally identifiable 
information, and are maintained by the school district or institution or by a party acting for the agency or 
institution. The term does not include sole possession records of instructional, supervisory, and 
administrative personnel, provided that the record is kept in the sole possession of the maker of the 
record and is not accessible or revealed to any other person except a temporary substitute for the maker 
of the record. 

Eligible Student: a student who has reached age of majority or is attending an institution or 
postsecondary education. 

Records: any information recorded in any way including, but not limited to, handwriting, print, film, 
microfilm, microfiche, and all electronic records such as email, CD, and or DVDs. 
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Why FERPA was Enacted 



1. Schools had denied parents access to their children’s school records while allowing others, like 
government agents and prospective employers, access. 

2. Types of information contained in school records were, in many cases, inaccurate. Information 
was not always confined to fact or derived for educational purposes; innuendo and gossip were 
often noted. 

3. Right of access to students’ school records varied widely from State to State, controlled largely 
by common law principles, rudimentary case law, and school policy. 



FERPA AND Confidentiality 



FERPA was enacted to ensure the confidentiality of personally identifiable information in education 
records and to guarantee parents access to their children’s education records. The statute defines 
“education records” that are subject to its requirements, specifies who can see them and under what 
conditions, and contains procedures for complaints. 

Any school district or institution receiving funds under any federal program is subject to FERPA. All 
public elementary and secondary schools, charter schools, institutions of postsecondary education, and 
many private schools are subject to FERPA. 



Rights 



Either parent has the right to inspect and/or review their student’s education record unless the school 
district or institution has been provided with evidence that there is a court order or legally binding 
document relating to such matters as divorce, separation, or custody that specifically revokes these 
rights. (FERPA 99.4) 

When a student reaches age of majority, the rights accorded to, and consent required of, parents under 
FERPA transfer from the parents to the student. (FERPA 99.5) 
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School District Requirements 



Each school or educational agency must do the following: 

1 . Adopt an education records policy and implement procedures that meet the standards of 
FERPA 99.6. 

2. Annually notify parents and students in attendance of their rights pertaining to student records 
according to FERPA 99.7. 

3. Maintain a permanent file on each student. 

4. Maintain separate special education records. 

5. Provide public notice of directory information and provide parents an opportunity to refuse to 
disclose such information. 

6. Provide annual training to school staff on records and confidentiality. 



Access Rights 



The school shall permit a parent to inspect and review the education records of the student. The school 
shall comply with a request for access to records within a reasonable period of time but in no case more 
than 45 days after it has received the request. 



Fees 



A school may charge a fee for a copy of an education record unless the imposition of a fee effectively 
prevents a parent from exercising the right to inspect and review the student’s education records. 



Prior Consent Required For Disclosure 



The parent shall provide a signed and dated written consent before a school discloses personally 
identifiable information from the student’s education records, except as provided in FERPA 99.31. 
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Prior Consent Not Required For Disclosure 



A school may disclose personally identifiable information from an education record of a student without 

the written consent of the parent if the disclosure is 

1. To officials of another school or institution in which the student seeks to enroll provided that the 
school has a notice in its policies that it forwards education records on request to a school in 
which the student seeks or intends to enroll; 

2. For directory information if the school has given public notice to parents of students in 
attendance of the types of information that the school has designated as directory information — a 
parent has the right to refuse to let the agency or institution designate any or all of those types of 
information about the student as directory information; 

3. To organizations conducting studies for or on behalf of educational agencies or institutions to 
develop, validate, or administer predictive tests; administer student aid programs; or improve 
instruction provided that the personally identifiable information is destroyed when no longer 
needed for the purposes for which the study was conducted; and/or 

4. To comply with a judicial order or lawfully issued subpoena if the school or institution makes a 
reasonable effort to notify the parent of the order or subpoena in advance of compliance. 



Record of Access 



A school shall maintain a record of each request for access to and each disclosure of information from 
the education records of each student. The record must include the date of access, the person’s name, 
and the purpose for accessing the record. (See an example in the Appendix.) 

A record of access does not apply if the request was from or the disclosure was to the parent, eligible 
student, authorized school official, a party with written consent from the parent, or a party seeking 
directory information. 



Disclosure To Federal and State Officials 



Authorized federal and State officials may have access to education records in connection with a 
monitoring or evaluation of federal or State supported education programs or for the enforcement of or 
compliance with federal legal requirements that relate to those programs. (FERPA 99.35) 
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Disclosure for Health and Safety 



A school may disclose information from an education record to appropriate parties in connection with an 
emergency if knowledge of the information is necessary to protect the health or safety of the student or 
other individuals. (FERPA 99.36) 



Amendment 



When a parent believes the information contained in the student’s education record is inaccurate, 
misleading, or in violation of the privacy or other rights of the student, the parent may ask the school to 
amend the record. If the school decides not to amend the record, the parent shall be informed of their 
right to request a hearing under FERPA 99.21, 99.22. 



Complaint and Enforcement 



A person may file a complaint regarding an alleged violation under FERPA by writing the Family Policy 
Compliance Office, U.S. Department of Education, Washington, D.C. 20202-4605. 

(EERPA 99.60-99.64) 
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Special Education Records 



One of the most frequent complaints of special education staff is the amount of paperwork required for 
maintaining student records. This is a valid concern. Special educators need guidance and assistance to 
help them reduce unnecessary paperwork and provide techniques that would decrease time on 
paperwork, resulting in increased time to provide direct services for students with disabilities. 

Confidentiality requirements need to be understood and followed by school staff maintaining special 
education records. Sharing information with unauthorized individuals can lead to liability issues for the 
school and can violate the student’s civil rights. 

In many cases, special education files contain more than the required documentation to meet minimal 
compliance standards. The importance of proper documentation cannot be overstated; however, too 
much paperwork can be confusing and hide the essential documents such as the current lEP, which is 
used to provide an appropriate educational program. 

This section will help clarify issues of record keeping and confidentiality as it pertains to students in 
special education programs. 



Staff Training 



The school should provide information and annual training to all school staff regarding the importance 
of confidentiality and proper maintenance of special education records each school year. This could 
include the following: 



> Special education teachers 

> General education teachers 

> Related service providers 

> Paraeducators 

> Bus drivers 

> Secretaries 

> Administrators 

> Volunteers 

> Substitute teachers 
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Content of Special Education Files 



Since many students are in special education programs for numerous school years, the special education 
file tends to become very bulky. A school can decide what record keeping system is best to fulfill their 
particular needs; however, the following suggested system will provide an efficient method to manage 
student records. 

The recommendation is to create a two-tier process for maintaining special education and/or Section 504 
records. The primary file is kept with the main service provider or case manager and contains the 
essential compliance documents and current lEP. 

Contents of Primary File 

• Access log 

• Building level support team — early intervening documentation 

• Referral form 

• Initial consent to evaluate/consent for reevaluation 

• Multidisciplinary team report (eligibility determination) 

• Current Individualized Education Program 

• Initial permission for placement 

• Current written notices and meeting notices 

The primary file contains a limited amount of information and is bound in chronological order. At the 
end of the school year, outdated information, such as the old lEP and written notices, are sent to the 
special education director’s office to be filed in the secondary file. 

Contents of Secondary File 

• Parent correspondence 

• Written notices over one year old 

• Outdated lEPs 

• Test protocols 

• Annual review minutes 

• Student work samples 

• Written correspondence 

• Discipline notices 

• Three-year evaluation documentation 
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Acceptance of Special Education Records 



Schools receive students in special education who transfer at various times during the school year. When 
a student transfers to another school, the records should be sent as soon as possible to avoid any delay in 
services. It is never advisable to serve a student until the special education records have been obtained 
and reviewed by the reviewing special education staff. If the team disagrees with the findings and 
conclusions of the sending school, they can always order, with parent notification and consent, 
additional evaluations to validate past findings or provide reasons to proceed in a different direction. 

An lEP Team meeting should be called to review the records and make recommendations on any 
program changes. 



Case Manager/Record Locator 



It is best to assign a case manager to each student eligible for Section 504 and/or special education 
services. This individual would take the responsibility of storing and maintaining the student record. The 
case manager is usually the staff member who is the primary service provider. A record locator should 
be included in cumulative files and other student records listing a phone number, fax number, and/or E- 
mail address that can be used by the receiving school to determine if additional records exist on the 
student. 



Record Destruction 



EERPA does not address how long records should be kept. School districts can establish their own 
policy and procedures. A standard is five to seven years after the student exits the educational program. 

A school district must destroy personally identifiable information at the parent’s request when that 
information is no longer needed to provide educational services. This can be accomplished by removing 
personal identifiers from retained records. When records are no longer needed for educational purposes, 
a school may separate them from active files and retain them in a special file with limited access. 

Although largely complementary, IDEA regulations on student records go beyond the requirements of 
EERPA in some respects. Eor example, IDEA requires that parents be informed when a school proposes 
to destroy student records. Parents must be informed of their right to request destruction of information 
whenever their child graduates or leaves school, and with certain exceptions, this information must be 
destroyed at the parent’s request. The district may establish specific times, such as lEP meetings, school 
registration, or program completion, to inform parents that personally identifiable information is no 
longer required and will be destroyed. 

A school district, however, may retain a permanent record of a student’s name, address, phone number, 
grades, attendance record, classes attended, grade level completed, and year completed even over 
parental objections. Parents can request that their child’s record be amended if they feel the contents are 
misleading or inaccurate. If the school disagrees, the parent can request a hearing. If the parent does not 
prevail at the hearing, they can ask that a written statement be included in the record that explains 
their position. 
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Questions/Answers 



Family Educational Rights and Privacy Act (FERPA) 

The following are common questions and answers regarding FERPA. 

1. Question: Are schools required to comply with FERPA? 

Answer: Any school that receives federal education funds from the United States 

Department of Education must follow the procedures required by this federal law. 
Reference 41 CFR 99.1 

2. Question: What kinds of student records are parents allowed to review? 

Answer: FERPA applies to all records, files, documents, and other materials that contain 

information directly relating to a student and are maintained by the school district. 
Reference 41 CFR 99.3 

3. Question: May students see the same records as parents? 

Answer: No. While FERPA permits students to see their own records if they are over 18, 

there are some records that can be withheld: 

(1) Psychiatric or “treatment” records (Students can, however, request that a 
doctor of their choice review the record for them.) 

(2) Financial records of their parents — Reference 41 CFR 99.12 

4. Question: If requested, when does the school show the records to parents? 

Answer: Under FERPA, the school has 45 calendar days to comply with the parents’ request. 

Some schools have written procedures that establish a shorter time period. In this 
case, the school must comply with their shorter time period. 

Reference 41 CFR 99. 1 1 

5. Question: May parents bring someone with them, such as their child or a 

friend, to examine the records? 

Answer: Yes. While FERPA does not state specifically that parents have this right, other 

federal regulations (IDEA) state that parents may authorize others to see the 
records. The school may ask that parents sign a statement indicating that the friend 
has such permission. Reference 34 CFR 300.562 
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6. Question: 

Answer: 



7. Question: 

Answer: 

8. Question: 

Answer: 

9. Question: 

Answer: 



10. Question: 

Answer: 



Who else may see a student’s records without parental consent? 

(a) School officials in the same district with a “legitimate educational interest” 

(b) School officials in another school system in which the student intends to enroll 

(c) Various State and national educational agencies when enforcing federal laws 

(d) Anyone to whom the school must report information as required by State statute 

(e) Accreditation and research organizations helping the schools 

(f) Student financial aid officials 

(g) Those with court orders or subpoenas (Reference 41 CFR 99.31) 

(h) During State monitoring activities 

May probation officers see student records without parental consent? 

Under federal law, probation officers cannot see or receive information from 
student records without obtaining parental consent. 

May parents see a list of everyone who has asked for and received 
information concerning their child during the year? 

Yes. The school is required to keep a list of everyone who requests and receives 
information with the records themselves. Parents have a right to this information. 
The list needs not include school employees who have seen the records. 

Reference 41 CFR 99.32 

If parents think information is misleading or false, how can 
they get such information removed from the student’s record? 

First, the parents request that such information be removed and state the reason 
for the request. If the school refuses to do so, then the parent can request a school 
hearing. The request should be put in writing and sent to the appropriate school 
official. At the very least, the parent can request the school insert their written 
statement explaining reasons why they believe the records are inaccurate. 

Reference 34 CFR 300.564, 34 CFR 300.567, 34 CFR 300.568, 34 CFR 300.569, 

41 CFR 99.20, 41 CFR 99.21, and 41 CFR 99.22 

Who has access to the student’s records? 

Parents have the right to inspect and review the records of their child. Students 
who have reached the age of majority also have the right to review their records. 
State education agency staff and school personnel who are authorized to inspect 
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records are those certified personnel and school board members with a legitimate 
educational interest in reviewing the records. 

For persons not so authorized to review records, the school must keep a log of 
parties obtaining access to student records showing the name of the person given 
access, date access was given, and the purpose for which the party was authorized 
to use the records. Reference 34 CFR 300.562, 34 CFR 300.571, 41 CFR 99.11, 
41 CFR 99.30, 41 CFR 99.31, and 41 CFR 99.32 

11. Question: Do school board members have a right to know the names of 

students with disabilities? 

Answer: They have a right to the names of individual students with disabilities only for the 

purpose of carrying out duties of the School Board. Reference 41 CFR 99.31 and 
41 CFR 99.32 

12. Question: When a request for transfer of records of a student with disabilities is 

received, including proper parental permission, should the school transfer 
all records? 

Answer: On notification of transfer, all the student’s educational records shall be 

transferred, including behavioral records and reports contained in the cumulative 
file furnished to the sending school by other private or public agencies. 

Reference 41 CFR 99.31 

13. Question: Are parents entitled to review their child’s test protocols? 

Answer: The school must permit the parents of a student with a disability to inspect and 

review any educational records relating to their child, including test protocols. 

The procedure of allowing parents to examine and discuss the protocols in the 
school office under supervision would comply with the basic requirement under 
Reg. 300.562(a). Reference 34 CFR 300.562(a) 

14. Question: Who is responsible for storage of student test protocols? 

Answer: The school is responsible for ensuring that test protocols are accessible regardless 

of where they are stored. FERPA defines educational records as those which are 
“(1) directly related to a student, and (2) are maintained by an educational agency 
or institution or by a party acting for the agency or institution.” A school 
psychologist would be considered “a party acting for” the school district; 
therefore, records maintained by a school psychologist would be accessible. 
Reference 41 CFR 99.5 

Summary 

FERPA provides parents a clear avenue through which they might ensure that the personal dignity and 
confidential information concerning their child is protected. It is clearly the intent of this law to provide 
parents a definite role in the provision of accurate record keeping and in the protection of the 
confidential information concerning their child. 
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Appendices 



FERPA Basics — Education Records 



The following are basic issues when dealing with educational records: 

1. FERPA is the Family Educational Rights and Privacy Act; the law outlines the 
requirement of educational record keeping. 

2. Personally identifiable information about students must be kept confidential by the 
school district. 

3. Each school district must have a written educational records policy. 

4. Parents have the right to inspect and review their children’s school records and can 
request copies. 

5. Access to student records by school staff members must be recorded on an “access” log 
in each student’s file, and the school records policy must identify by title the staff 
members with access to each type of student record. 

6. Release of student information outside the school requires parental consent, except (1) 
school district defined “directory information,” (2) within the public school system, and 
(3) in health and safety emergencies. 

7. Parental access rights transfer to adult students when they reach age of majority. 

8. Parents may request an amendment of records that they consider “inaccurate, misleading, 
or in violation of the student’s rights of privacy or other rights.” 

9. Notes concerning a student made by a staff member, retained by that person, and not 
shared with anyone are exempt from parental access. 

10. Education records do not include treatment records of students 18 years or older that are 
maintained by a health professional. 
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School District 

Special Education Documentation of 
Access to Records 



These reeords are confidential and may only be aeeessed by individuals who have a right to know, 
ineluding parents, elassroom teaeher, speeial edueation teaeher, related edueation serviee staff, speeial 
education paraeducator, building administrator, and special education director. 

Student: DOB: 



Access Date 


Person/Position 
Accessing Records 


Purpose of Access 









































































































Each school should keep a record of persons obtaining access to special education records. The record 
will include the name of the person, date of access, and the purpose for which the person is authorized to 
use the records. Access and use of student records will follow guidelines outlined be the Family 
Education Records Privacy Act. 
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Attention! 

Student Record Locator 

This file may not contain all records for this 
student. To determine if other records exist, 
please call, e-mail or write to 

S chool 

Address 

Phone Number 

Fax 

E-mail 




Family Education Rights and Privacy Act (FERPA) 



Annual Notice 



In accordance with federal regulations and for the benefit of parents and students in the school district, 
this notice serves to notify parents of students currently in attendance and students of legal age of their 
rights regarding educational records and confidentiality. 



Your Rights 



You have the right to the following: 

1 . Inspect and review your child’s educational record. 

2. If you feel the educational record is misleading or inaccurate, you can request an amendment to 
the part of record that is inaccurate. 

3. Give written consent before any personally identifiable information is released about your child. 

4. File a complaint with the Department of Education in Washington, D.C., which enforces 
regulations pertaining to educational records if alleged violations are being made by the school 
district and you have been unable to resolve those differences at the school district level. 

Procedures to Obtain Educational Records 

1 . Contact the school principal and inform him/her that you would like a copy of your child’s 
educational record. 

2. Allow the school five days to copy and provide the requested information. There may be a small 
fee to cover the copying. 

Procedures for Requesting a Change in Your Child’s Education Record 

1 . Inform the school principal that you have discovered inaccurate or misleading information and 
would like it amended or removed. 

2. Allow the school district five to 10 working days to decide whether your request is valid. 

3. If the school district disagrees with the request, you can file for a hearing with the school district 
to voice your concerns. 

4. If, as a result of the hearing, the school district decides that the information is inaccurate or 
misleading, the school will amend the record and inform you of the amendment in writing. 

5. If, as a result of the hearing, the school district decides the information is accurate and not 
misleading, they will notify you of the right to place a statement in the record explaining why 
you feel the information is misleading or incorrect. 

6. The school district is obligated to place a copy of your statement in the educational record. 

Eor more information or further explanation, please contact 

Name: 

Address: 

Phone: 
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Electronic Transfer of Records 




UNITED STATES DEPARTMENT OE EDUCATION 

OFFICE OF MANAGEMENT 



Mr. John Copenhaver 
Director 

Mountain Plains Regional Resource Center 
Utah State University 
1780 North Research Parkway, Suite 112 
Eogan, Utah 84321 

Dear Mr. Copenhaver: 

This is in response to your April 4, 1995, inquiry regarding requirements related to special education 
records. Your letter, which you addressed to Dr. Tom Hehir, Office of Special Education Programs, was 
forwarded to this Office for response on June 28, 1995, because we administer the Eamily Educational 
Rights and Privacy Act (EERPA), which relates to your concerns. 

You ask in your letter whether it is “permissible to transfer special education student records by fax or 
computer networks.” In this regard, you state: 

It is not uncommon to see special education student records transferred from one agency to 
another via fax or computer networking. 

You also ask whether it is permissible to include notices that a student is receiving special education 
services in a student's cumulative file. You state: 

Many school districts insert a notice in the student's cumulative file indicating there is a separate 
special education file located in another office. 

EERPA generally protects parents’ and students’ privacy interests in “education records.” The term 
“education records” is defined as those records which contain information directly related to a student 
and which are maintained by an educational agency or institution or by a party acting for the agency or 
institution. 34 CER § 99.3 “Education records.” EERPA applies to all education records, including the 
records of students who receive special education services. 
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Page 2 — Mr. John Copenhaver 



FERPA does not generally address what education records a school may or may not maintain or where 
the school maintains such records. Thus, under FERPA, a school would not be prohibited from placing a 
notice in a student’s cumulative records which states that the student receives special education services 
and that another file exists in another office. 

With regard to your question regarding the transfer of education records, FERPA generally requires that 
a parent or eligible student^ provide written consent prior to the disclosure of personally identifiable 
information from education records, except in certain specified circumstances. 34 CFR §§ 99.30 and 
99.31. For instance, prior written consent is not necessary when the disclosure is to a school official 
within the educational agency or institution with legitimate educational interest or when the disclosure is 
to a school in which the student is seeking or intending to enroll. See 34. CFR § 99.31(a) (1). and 
(2). For a list of the circumstances under which nonconsensual disclosures may be made, please refer to 
§ 99.31 of the enclosed regulations. 

FERPA does not generally address the manner in which education records may be disclosed. While on 
its face FERPA does not prohibit the transfer of education records to authorized parties by whatever 
means a school chooses, a school should take into consideration the potential for nonconsensual 
disclosures of education records resulting from a particular type of transfer. While we believe that the 
likelihood of an improper disclosure of education records that would result from transferring 
information to other school officials within an educational agency or institution by facsimile or internal 
computer network is minimal, it is the responsibility of each school to determine what precautions are 
necessary to protect education records in compliance with FERPA. 

I trust that the above information is responsive to your inquiry. In addition to the regulations, enclosed 
are a model student records policy and a model annual notification of rights to parents. Should you have 
additional questions regarding this matter of FERPA in general, please do not hesitate to contact this 
Office directly. Our current address and telephone number are: 

Family Policy Compliance Office 
U.S. Department of Education 
600 Independence Avenue, SW 
Washington, DC 20202-4605 
(202) 260-3887 



Sincerely, 

FeRoy S. Rooker 
Director 

Family Policy Compliance Office 



^ All rights afforded parents under FERPA transfer to the student when the student becomes an “eligible student.” The term 
“eligible student” means a student who has reached 18 years of age of is attending an institution of postsecondary education. 
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THE RELATIONSHIP OF HIPAA TO 
SPECIAL EDUCATION 



Compiled by Catherine Benitz, Program Specialist, Mountain Plains Regional Resource Center 

September 2006 

The purpose of this paper is to provide clarification to educators regarding the privacy of records and 
information related to the requirements of the Health Insurance Portability and Accountability Act 
(HIPAA) of 1996. This paper was originally distributed in 2003 and has been updated with resources 
and web page links. Additional resources and websites are provided for the reader to obtain current 
information regarding the required privacy regulations. 

What is HIPAA? 

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, includes 
important — but limited — protections for millions of working Americans and their families around the 
ability to obtain and keep health coverage. Among its specific protections, HIPAA does the following: 

• Limits the use of preexisting condition exclusions. 

• Prohibits group health plans from discriminating by denying you coverage or charging you extra 
for coverage based on your or your family member's past or present poor health. 

• Guarantees certain small employers and certain individuals who lose job-related coverage the 
right to purchase health insurance. 

• Guarantees, in most cases, that employers or individuals who purchase health insurance can 
renew the coverage regardless of any health conditions of individuals covered under the 
insurance policy. 

In short, HIPAA may lower the individual’s chance of losing existing coverage, ease the ability to 
switch health plans, and/or help buy coverage if an individual looses an employer's plan and has no 
other coverage available. 

What is the HIPAA Privacy Rule? 

The privacy provisions of the federal law, HIPAA, apply to health information created or maintained by 
health care providers who engage in certain electronic transactions, health plans, and health care 
clearinghouses. The Department of Health and Human Services (DHHS) has issued the regulation, 
"Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by 
HIPAA. The Office for Civil Rights (OCR) is the departmental component responsible for implementing 
and enforcing the privacy regulation. (See the Statement of Delegation of Authority to the Office for 
Civil Rights, as published in the Federal Register on December 28, 2000. 
http://www.hhs.gov/ocr/hipaa/bkgrnd.html) 

The DHHS issued the privacy rule to implement the requirement of HIPAA. The privacy rule standards 
address the use and disclosure of individuals’ health information, or “protected health information,” by 
organizations subject to the privacy rule, or “covered entities,” as well as standards for individuals’ 
privacy rights to understand and control how their health information is used. Within DHHS, the OCR 
has the responsibility for implementing and enforcing the Privacy Rule with respect to voluntary 
compliance activities and civil money penalties. 
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A major goal of the privacy rule is to ensure that individuals’ health information is properly protected 
while allowing the flow of health information needed to provide and promote high-quality health care 
and to protect the public’s health and well being. The rule strikes a balance that permits important uses 
of information while protecting the privacy of people who seek care and healing. Given that the health 
care marketplace is diverse, the rule is designed to be flexible and comprehensive to cover the variety of 
uses and disclosures that need to be addressed. (See U.S. DHHS, OCR PRIVACY BRIEF, Summary of 
the HIPAA Privacy Rule, HIPAA Compliance Assistance at 
http://www.DHHS.gov/ocr/privacysummary.pdf) 

What is FERPA and how is it different from HIPAA? 

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of 
student education records. The law applies to all schools that receive funds under an applicable 
program of the U.S. Department of Education. 

FERPA gives parents certain rights with respect to their children's education records. These rights 
transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school 
level. Students to whom the rights have transferred are "eligible students." 

FERPA defines education records as those records that contain information directly related to a student 
that are maintained by an education agency, institution, or person acting for the agency or institution. 
( http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html) 

Health records are defined through the HIPAA privacy regulation, 45 CRR, § 164.501: Protected 
Health Information means any individually identifiable heath information that is 

• Transmitted by electronic media, 

• Maintained in any medium described in the definition of electronic media at §162.103 of this 
subchapter, and 

• Transmitted or maintained in any other form or medium. 

Protected health information excludes individually identifiable health information in education 
records covered by FERPA, as amended, 20 U.S.C. 1232g. 

Must public schools and education agencies comply with HIPAA? 

The preamble to the privacy regulation includes the following statement by the DHHS, the entity 
responsible for developing HIPAA Privacy: 

While we strongly believe every individual should have the same level of privacy 
protection for his/her individually identifiable health information. Congress did not 
provide us with authority to disturb the scheme it had devised for records maintained by 
educational institutions and agencies under FERPA. We do not believe Congress 
intended to amend or preempt FERPA when it enacted HIPAA. 

The HIPAA final rule explains that records that are subject to FERPA are not subject to HIPAA. 
Additionally, medical records that are exempt from FERPA's definition of "education records" under the 
section 99.3 provision are also exempt from coverage by HIPAA. (Page 82483 of the December 28, 
2000, Federal Register HIPAA final rule) 
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Who must comply with HIPAA? 

As required by Congress in HIPAA, the Privacy Rule covers the items listed below: 

• Health plans 

• Health care clearinghouses 

• Health care providers who conduct certain financial and administrative transactions 
electronically (These electronic transactions are those for which standards have been adopted by 
the Secretary under HIPAA, such as electronic billing and fund transfers.) 

These covered entities are bound by the new privacy standards even if they contract with others (called 
“business associates”) to perform some of their essential functions. The law does not give the DHHS the 
authority to regulate other types of private businesses or public agencies through this regulation. For 
example, DHHS does not have the authority to regulate employers, life insurance companies, or public 
agencies that deliver social security or welfare benefits. 

Many of the questions regarding covered entities, disclosures, access, and policies can be found at the 
Question and Answer site located at http://answers.hhs.gov/ . Specific questions are answered by 
clicking on the link to Health Information Privacy Policy sub- categories. 



What does the HIPAA Privacy Rule require providers to do? 

Covered Entities must protect individually identifiable health information against deliberate or 
inadvertent misuse or disclosure. Consequently, health plans and providers must maintain administrative 
and physical safeguards to protect the confidentiality of health information as well as protect against 
unauthorized access. HIPAA final rules explicitly mention the following actions: 

• Adopt written privacy procedures. 

• Train employees about security. 

• Designate a privacy officer. 

• Develop legal agreements that extend privacy protections to third-party business associates. 

• Obtain patient consent for most disclosures of protected health information. 

• Provide the minimum amount of information necessary. 

Those that misuse personal health information can be punished. The DHHS Office for Civil Rights, 
which is responsible for implementing the Privacy rules, can impose civil monetary penalties and 
criminal penalties for certain wrongful disclosures of protected information. Civil penalties can be 
imposed up to $25,000 per year and criminal penalties can range from $50,000 and one year in prison to 
$250,000 and 10 years in prison. 

These entities must inform individuals about how their health information is used and disclosed and 
ensure them access to their information. Written authorization from patients for the use and disclosure of 
health information for most purposes is also required with the exception of health care treatment, 
payment, and operations (and for certain national priority purposes). 

(See Kumekawa, Joanne K. (September 30, 2001) "Health Information Privacy Protection: Crisis or 
Common Sense?" Online Journal of Issues in Nursing. Vol. #6 No. #3, Manuscript 2. Available at 
http://www.nursingworld.org/ojin/topic 16/tpc 1 6 2.htm) 
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Would education programs ever be subject to HIPAA? 

You may need to eontaet DHHS to inquire about the applieability of HIPAA to reeords on non-students. 
However, students’ medieal reeords and edueation reeords under FERPA are not subjeet to HIPAA and 
should not be disclosed to DHHS under HIPAA. 

Educational institutions that provide health care services to individuals other than students or that 
provide health care coverage to their employees need to be familiar with and may be subject to HIPAA. 
Educational institutions that do not receive federal funds and maintain any student medical records may 
also be subject to HIPAA requirements. 

The procedures for the submission of electronic records and billing of medical information would be 
subject to HIPAA. Eor example, schools or Part C agencies that bill Medicaid for therapeutic services 
would need to comply with HIPAA for those procedures. 

The safeguards for the protection of privacy under both regulations are comparable and ensure 
confidentiality if staff members are trained and procedures are in place to maintain privacy 
and confidentiality. 

Where can I locate other resources? 

• Office of the Assistant Secretary for Planning and Evaluation Administrative Simplification in 
the Health Care Industry 

http ://aspe . os . dhhs . go v/admnsimp/ 

• Office for Civil Rights — HIPAA 

o Medical Privacy — National Standards to Protect the Privacy of Personal Health 
Information 

http://www.DHHS.gov/ocr/hipaa/assist.html 
o Overview of information from the Office of Civil Rights 
http://www.DHHS.gov/ocr/hipaa/guidelines/overview.pdf 
o What’s new at the Office for Civil Rights - HIPAA 
http ://w w w . DHHS . gov/ocr/hipaa/whatsnew . html 

• HIPAA Privacy Rule and Research Website (National Institute of Health) 
http ://pri vacyruleandresearch . nih . gov/ 

• Final Modifications to the Privacy Rule published in the Federal Register 
w w w . DHHS . gov/ocr/hipaa/finalreg . html 

• FERPA Regulations 

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html 

• EERPA on-line library with reference to HIPAA 

http ://w w w . ed . go v/policy/gen/guid/fpco/ferpa/library /index .html 
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General Guidance eor Record Keeping and 
Maintaining Coneidentiality 



The following is guidance with respect to maintaining confidentiality at public schools. 

• Written or oral information about student and families is shared only with other personnel who have an 
explicit need to know for the benefit of the student/family (not for the benefit of the provider). 

• Information about one student is not shared with another student or parent under any circumstances. 

• Only necessary information will be shared with those who have an “educational interest” in the student. 

• Information should not be obtained from a parent or other person based on a promise that the 
information so obtained will not be shared with other appropriate personnel. 

• Discussions concerning confidential information are to take place in secured locations, not in hallways, 
stairwells, staff lounges, parking lots, or on the playground. 

• Confidential written documentation or notes of oral confidential communications should be stored in 
secure locations, and when in use, should be shielded from the view of others approaching the desk, and 
should not be left on a desk at all when the staff member has occasion to leave the desk. 

• Confidential information should not be left as a message with a secretary, on a voice mail, or on an 
electronic mail system. 

• Confidential information that must be mailed or carried should be placed in an envelope 
marked confidential. 

• Confidential information received by a school that was not requested or needed should be made part of 
the student’s/child’s record and should be returned to the sender or shredded. 

• Confidentiality should be maintained regardless of how the information is obtained 
(written, oral, electronic). 

• All staff and volunteers should be held to the same standard of confidentiality. 

• A school should have an explicit policy on the confidentiality of student/child information, which is 
coordinated with the school’s records policy. 
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Protecting the Privacy oe Student 
Education Records 



This document was prepared by Policy Studies Associates, Inc. under contract to the Council of Chief 
State School Officers. The document was printed by the National Center for Education Statistics for the National 
Forum on Education Statistics. The Forum represents the education agencies of the 50 states, the District of 
Columbia, and 5 outlying areas as well professional associations and federal agencies that are users or providers 
of education data. The views expressed here do not necessarily reflect the policy of die U .S. Department or 
Education and no official endorsement by die Department or Education should be inferred. 



Student education records are official and 
confidential documents protected by one of 
the nation’s strongest privacy protection 
laws, the Family Educational Rights and 
Privacy Act (FERPA). FERPA, also known 
as the Buckley Amendment, defines 
education records as all records that schools 
or education agencies maintain about 
students. 

FERPA gives parents (as well as students in 
postsecondary schools) the right to review 
and confirm the accuracy of education 
records. This and other United States 
“privacy” laws ensure that information 
about citizens collected by schools and 
government agencies can be released only 
for specific and legally defined purposes. 
Since enacting FERPA in 1974, Congress 
has strengthened privacy safeguards of 
education records through this law, refining 
and clarifying family rights and agency 
responsibilities to protect those rights. 

FERPA's legal statute citation can be found 
in the U.S. Code (20 USC 1232g), which 
incorporates all amendments to FERPA. 
FERPA regulations are found in the Federal 
Register (34 CFR Part 99). FERPA's 1994 
amendments are found in Public Law (PL) 
103-382. 

FERPA Protects Privacy 

FERPA applies to public schools and state 
or local education agencies that receive 
Federal education funds, and it protects both 
paper and computerized records. In addition 
to the Federal laws that restrict disclosure of 
information from student records, most 
states also have privacy protection laws that 
reinforce FERPA. State laws can 
supplement FERPA, but compliance with 
FERPA is necessary if schools are to 



continue to be eligible to receive Federal 
education funds. 

FERPA requires schools and local education 
agencies to have written and accessible 
policies about how they restrict the release 
of student records. The policies must explain 
parents' rights under FERPA, define what 
qualifies as “directory information" 
(personal information that can be made 
public), set procedures for reviewing and 
correcting records, and explain how and 
when student information can be disclosed. 
When students reach the age of 18, or when 
they become students at postsecondary 
education institutions, rights under FERPA 
transfer from the parents to the students. 

FERPA gives both parents, custodial and 
noncustodial, equal access to student 
information unless the school has evidence 
of a court order or state law revoking these 
rights. 

FERPA Defines an Education 
Record 

Education records include a range of 
information about a student that is collected 
in schools, such as: 

• Date and place of birth, parent(s) 
and/or guardian addresses, and 
where parents can be contacted in 
emergencies; 

• Grades, test scores, courses taken, 
academic specializations and 
activities, and official letters 
regarding a student's status in 
school; 

• Special education records; 
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• Disciplinary records; 

• Medical and health records that the 
school creates or collects and 
maintains; 

• Documentation of attendance, 
schools attended, courses taken, 
awards conferred, and degrees 
earned; 

• Personal information such as a 
student's identification code, social 
security number, picture, or other 
information that would make it easy 
to identify or locate a student. 

Personal notes made by teachers and other 
school officials that are not shared with 
others are not considered education records. 
Additionally, law enforcement records 
created and maintained by a school or 
district's law enforcement unit are not 
education records. 

Part of the education record, known as 
directory information, includes personal 
information about a student that can be 
made public according to a school system's 
FERPA policy. Directory information may 
include a student's name, address, and 
telephone number, and other information 
typically found in school yearbooks or 
athletic programs. Other examples are 
names and pictures of participants in various 
extra curricular activities or recipients of 
awards, pictures of students, and height and 
weight of athletes. 

Each year schools must give parents public 
notice of the types of information designated 
as directory information. By a specified time 
after parents are notified of their review 
rights, parents may ask to remove all or part 
of the information on their child that they do 
not wish to be available to the public 
without their consent. 



FERPA Guarantees Parent 
Review and Appeal 

If, upon review, parents find an education 
record is inaccurate or misleading, they may 
request changes or corrections, and schools 
and education agencies must respond 
promptly to these requests. 

Requests should be made in writing 
according to local policies. Within a 
reasonable time period, the school or agency 
must decide if the request to change the 
record is consistent with its own assessment 
of the accuracy of the record. If a parent's 
request is denied, he or she must be offered 
the opportunity for a hearing. If parents' 
disagreement with the record continues after 
the hearing, they may insert an explanation 
of their objection in the record. 

EERPA's provisions do not apply to grades 
and educational decisions about children 
that school personnel make. 

While parents have a right to review records, 
schools are not required by Eederal law to 
provide copies of information, unless 
providing copies would be the only way of 
giving parents access. Schools may charge: 
a reasonable fee for obtaining records, and 
they may not destroy records if a request for 
access is pending. 

FERPA Restricts Disclosure of 
Student Records 

Local education agencies and schools may 
release information from students' education 
records with the prior written consent of 
parents, under limited conditions specified 
by law, and as stated in local agencies’ 
student records policies. The same rules 
restricting disclosures apply to records 
maintained by third parties acting on behalf 
of schools, such as state and local education 
agencies, intermediate administrative units, 
researchers, psychologists, or medical 
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practitioners who work for or are under 
contract to schools. 

A school district is required, however, to 
have a policy that specifies the categories of 
officials and parties to whom records may 
be released without parent consent. The 
policy should be readily accessible to 
parents for review. 

Teachers and school officials who work with 
the students and schools to which students 
apply for entrance may also have access to 
education records without parent consent. In 
addition, information from students’ records 
may be released to State and local education 
officials to conduct audits or to review 
records in compliance with Federal laws. 
Schools may also disclose information from 
education records without the consent of 
parents in response to subpoenas or court 
orders. A school official must make a 
reasonable effort to notify the parent before 
complying with the subpoena unless the 
subpoena is issued to enforce a law and 
specifies not to notify the parent. 

In emergencies, school officials can provide 
information from education records to 
protect the health or safety of the student or 
others. 

There are cases when schools or school 
systems decide it is in the public interest to 
participate in policy evaluations or research 
studies. If student records are to be released 
for these purposes, the school or school 
system must obtain prior parent consent. 
Signed and dated written consent must: 

• Specify the records that will 
be released; 

• State the reason for releasing 
the records; 

• Identify the groups or individuals 
who will receive the records. 

In general, information about each request 
for records access and each disclosure of 
information from an education record must 
be maintained as part of the record until the 



school or agency destroys the education 
record. Outside parties receiving records 
must receive a written explanation of the 
restrictions on the re-release of information. 

Additional FERPA Provisions 

In 1994, the Improving America's Schools 
Act amended several components of 
FERPA, tightening privacy assurances for 
students and families. The amendments 
apply to the following key areas: 

• Parents have the right to review the 
education records of their children 
maintained by state education 
agencies; 

• Any agency or institution that 
inappropriately re-releases 
personally identifiable information 
from an education record cannot 
have access to education records for 
five years; 

• Information about disciplinary 
actions taken against students may 
be shared, without parents’ consent, 
with officials in other education 
institutions; 

• Schools may release records in 
compliance with certain law 
enforcement judicial orders and 
subpoenas without notifying 
parents. 

Questions? Call Your Local 
School System, State Agency, 
or the Family Policy 
Compliance Office 

School districts, state education agencies, 
and the U.S. Department of Education all 
offer assistance about EERPA. Before 
contacting Eederal officials, you can often 
get a direct and immediate response from 
your local or state education officials. 
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